a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29

Analysis

max time kernel
188s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
Size

164KB
MD5

5313f9c201fbaaf4be43d7d9e6249b89
SHA1

5cf30234ad84577a51c8f3e72c0eda5f778a198c
SHA256

a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29
SHA512

d4387c753268dffd8e79a0cecacb6881ae4d1271a30ba44b0efac0197dac75a33159a4038632443d49fd3a53f4cd479042c8a19b00592e76a677a3b643583b9c
SSDEEP

1536:alhtkWAlIS4i7TLhLsNgqi4Cr3DEaUJBYiVIHvUdR/eDoZJAO1dGV4VE:SWW04i7ZLsNgqE3ofJBYiVIiMDoZ3dG

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yuuunon.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	yuuunon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /z"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /u"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /w"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /q"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /s"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /i"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /v"	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /z"	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /x"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /v"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /s"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /y"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /g"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /f"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /p"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /n"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /g"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /k"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /l"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /l"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /d"	yuuunon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /k"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /y"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /m"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /x"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /c"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /o"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /z"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /r"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /a"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /j"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /v"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /r"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /c"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /d"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /i"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /t"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /h"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /o"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /n"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /b"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /t"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /j"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /q"	yuuunon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /p"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /h"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /w"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /f"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /a"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /b"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /m"	yuuunon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /u"	yuuunon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /e"	yuuunon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuuunon = "C:\\Users\\Admin\\yuuunon.exe /e"	yuuunon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3220	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
3220	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe
4392	yuuunon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4392	yuuunon.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3220	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
4392	yuuunon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 4392	3220	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe	81
PID 3220 wrote to memory of 4392	3220	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe	81
PID 3220 wrote to memory of 4392	3220	a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe	81

C:\Users\Admin\AppData\Local\Temp\a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe
"C:\Users\Admin\AppData\Local\Temp\a110d8607ae1ca197564f46341cb2ad1fc908c91319bd2108fa164db1f4feb29.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\yuuunon.exe
  "C:\Users\Admin\yuuunon.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\yuuunon.exe

Filesize
164KB

MD5
fc7280307c3bc9f59625fbcc3848d094

SHA1
56b2aafe26fc6efbb6f3950ff154b4e2314bdb41

SHA256
fb47bdae0af29bf8d68837ea9d7afdc66594a1505d1fee51410d16328579cef4

SHA512
19ce8a635d7a11bc0fb4483e7b2e2ed71021b03021981e809da3b310c2940cb26d1bd9d539a4a3d5e22fb7bae3a9354314dba4a9a4f66e0dd9308058c93da811

Download Submit
C:\Users\Admin\yuuunon.exe

Filesize
164KB

MD5
fc7280307c3bc9f59625fbcc3848d094

SHA1
56b2aafe26fc6efbb6f3950ff154b4e2314bdb41

SHA256
fb47bdae0af29bf8d68837ea9d7afdc66594a1505d1fee51410d16328579cef4

SHA512
19ce8a635d7a11bc0fb4483e7b2e2ed71021b03021981e809da3b310c2940cb26d1bd9d539a4a3d5e22fb7bae3a9354314dba4a9a4f66e0dd9308058c93da811

Download Submit